Home > Vulnerability Database > CVE-2025-14177

Mend.io Vulnerability Database

CVE-2025-14177

Good to know:

Date: December 27, 2025

In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server.

Severity Score

4.0

Related Resources (3)

Url: https://github.com/php/php-src/security/advisories/GHSA-3237-qqm7-mfv7

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-14177

Url: https://www.mend.io/vulnerability-database/CVE-2025-14177

Severity Score

4.0

Weakness Type (CWE)

Out-of-bounds Read

CWE-125

Top Fix

Upgrade Version

Upgrade to version https://github.com/php/php-src.git - php-8.5.1;https://github.com/php/php-src.git - php-8.4.16;https://github.com/php/php-src.git - php-8.3.29;https://github.com/php/php-src.git - php-8.2.30;https://github.com/php/php-src.git - php-8.1.34

Learn More

CVSS v3.1

Base Score:	4.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-14177

Good to know:

Date: December 27, 2025

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?